Create an IPsec-VPN connection in dual-tunnel mode and associate the connection with a VPN gateway - VPN Gateway

You can create IPsec-VPN connections to establish encrypted communication. Then, you can implement connections between your on-premises data center and a virtual private cloud (VPC) over IPsec-VPN connections. This topic describes how to create and manage IPsec-VPN connections in dual-tunnel mode.

Prerequisites

The procedure for configuring IPsec-VPN is complete. For more information, see Overview.

Create an IPsec-VPN connection

Log on to the VPN gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region in which you want to create an IPsec-VPN connection.
Note
The IPsec-VPN connection must be created in the region of the VPN gateway to be associated with the IPsec-VPN connection.
On the IPsec Connections page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, configure the parameters that are described in the following table and click OK.

Basic configurations

Parameter	Description
Name	The name of the IPsec-VPN connection.
Resource Group	The resource group to which the VPN gateway belongs. If you leave this parameter empty, the system displays the VPN gateways in all resource groups.
Associate Resource	The type of network resource to be associated with the IPsec-VPN connection. Select VPN Gateway.
VPN Gateway	The VPN gateway to be associated with the IPsec-VPN connection.
Routing Mode	The routing mode of the IPsec-VPN connection. Valid values: Destination Routing Mode (default): routes and forwards traffic based on the destination IP address. Protected Data Flows: routes and forwards traffic based on the source and destination IP addresses. After you select Protected Data Flows, you must configure the Local Network and Remote Network parameters. After you configure the IPsec-VPN connection, the system automatically adds a policy-based route to the policy-based route table of the VPN gateway. The Source CIDR Block of the route is the Local Network of the IPsec-VPN connection. The Destination CIDR Block of the route is the Remote Network of the IPsec-VPN connection. The next hop of the route is the IPsec-VPN connection. By default, the policy-based route is not advertised. You can advertise the policy-based route to the route table of the VPC to be connected based on your business requirements. For more information, see the Advertise a policy-based route section of the "Configure policy-based routes" topic.
Local Network	The CIDR block of the VPC to be connected to your data center. This CIDR block is used in Phase 2 negotiations. Click the icon to the right of the field to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the Internet Key Exchange (IKE) version to ikev2.
Remote Network	The CIDR block of the data center to be connected to the VPC. This CIDR block is used in Phase 2 negotiations. Click the icon to the right of the field to add more CIDR blocks. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
Effective Immediately	Specifies whether to immediately start IPsec-VPN negotiations. Yes (default): immediately starts IPsec-VPN negotiations after the IPsec-VPN connection is created. No: starts IPsec-VPN negotiations when inbound traffic is detected.
Enable BGP	Specifies whether to enable Border Gateway Protocol (BGP) dynamic routing for the tunnels. By default, BGP dynamic routing is disabled. After you enable BGP dynamic routing, the tunnels can automatically learn and advertise data center routes and VPC routes over BGP. This facilitates network maintenance and configuration. Before you use BGP dynamic routing, we recommend that you know more about how it works and its limits. For more information, see Configure BGP dynamic routing.
Local ASN	The local autonomous system number (ASN) of the tunnel. Default value: 45104. Valid values: 1 to 4294967295. Note We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. For more information about the valid values of a private ASN, see the relevant documentation.

Tunnel configurations

The following table describes the tunnel parameters. By default, Tunnel 1 is the primary tunnel and Tunnel 2 is the secondary tunnel. IP Address 1 of the VPN gateway is used to establish Tunnel 1 and IP Address 2 of the VPN gateway is used to establish Tunnel 2. You cannot change the primary or secondary role of the tunnels.

Important

When you create an IPsec-VPN connection in dual-tunnel mode, you must configure two tunnels and ensure that they are available. If you configure or use only one of the tunnels, you cannot experience the redundancy of the active/standby tunnels in the IPsec-VPN connection and the zone-wide disaster recovery capability.

Parameter

Description

Customer Gateway

The customer gateway to be associated with the tunnels.

Both tunnels can be associated with the same customer gateway.

Pre-Shared Key

The pre-shared key that is used to verify identities between the tunnels and peers.

The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?. The key cannot contain spaces.
If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After the IPsec-VPN connection is created, you can click Edit in the Actions column of a tunnel to view the pre-shared key generated by the system. For more information, see the Modify the configurations of a tunnel section of this topic.

Important

Make sure that the tunnels and peers use the same pre-shared key. Otherwise, tunnel communication cannot be established.

Encryption configurations: IKE configurations

Parameter	Description
Version	The IKE version. Valid values: ikev1 ikev2 (default) Compared with IKEv1, IKEv2 simplifies SA negotiations and provides better support for scenarios in which communication is established among multiple CIDR blocks. We recommend that you use IKEv2.
Negotiation Mode	The negotiation mode. Valid values: main (default): This mode offers higher security during negotiations. aggressive: This mode supports faster negotiations and a higher success rate. Whichever mode is used, connections are offered the same level of security for data transmission.
Encryption Algorithm	The encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. Default value: aes, which specifies AES-128. Note If the bandwidth of the VPN gateway is 200 Mbit/s or higher, we recommend that you select aes, aes192, or aes256. 3des is not recommended. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.
Authentication Algorithm	Select the authentication algorithm that is used in Phase 1 negotiations. Valid values: sha1, md5, sha256, sha384, and sha512. Default value: sha1. Note When you add VPN configurations on your on-premises gateway device, you may need to specify the Probabilistic Random Forest (PRF) algorithm. The PRF algorithm can be consistent with the authentication algorithm in the IKE configurations.
DH Group (Perfect Forward Secrecy)	The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	The lifetime of the SA after Phase 1 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
LocalId	The local ID of the tunnel. The default value is the IP address of the tunnel. This parameter is used only to identify Alibaba Cloud in IPsec-VPN negotiations. You can use an IP address or a fully qualified domain name (FQDN) as the ID. The value cannot contain spaces. We recommend that you use a private IP address. If you set the LocalId parameter to an FQDN, such as example.aliyun.com, the peer ID of the IPsec-VPN connection on an on-premises gateway device must be the same as the value of the LocalId parameter. In this case, we recommend that you set the negotiation mode to aggressive.
RemoteId	The peer ID of the tunnel. The default value is the IP address of the customer gateway. This parameter is used only to identify on-premises gateway devices in IPsec-VPN negotiations. You can use an IP address or an FQDN as the ID. The value cannot contain spaces. We recommend that you use a private IP address. If you set the RemoteId parameter to an FQDN, such as example.aliyun.com, the local ID of the IPsec-VPN connection on an on-premises gateway device must be the same as the value of the RemoteId parameter. In this case, we recommend that you set the negotiation mode to aggressive.

Encryption configurations: IPsec configurations

Parameter	Description
Encryption Algorithm	Select the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. Default value: aes, which specifies AES-128. Note If the bandwidth of the VPN gateway is 200 Mbit/s or higher, we recommend that you select aes, aes192, or aes256. 3des is not recommended. Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm that provides high-level encryption and decryption. AES ensures secure data transmission and has little impact on network latency, throughput, and forwarding performance. Triple DES (3DES) offers enhanced security through its triple-layered encryption technique. Compared with AES, 3DES encryption requires a large amount of computation, takes a long time, and downgrades forwarding performance.
Authentication Algorithm	Select the authentication algorithm that is used in Phase 2 negotiations. Valid values: sha1, md5, sha256, sha384, and sha512. Default value: sha1.
DH Group (Perfect Forward Secrecy)	The DH key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled: does not use a DH key exchange algorithm. For clients that do not support perfect forward secrecy (PFS), select disabled. If you select a value other than disabled, PFS is enabled by default. In this case, the key is updated for each negotiation. Therefore, you must enable PFS for your client. group1: DH group 1. group2 (default): DH group 2. group5: DH group 5. group14: DH group 14.
SA Life Cycle (seconds)	Enter a lifetime for the SA after Phase 2 negotiations succeed. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
DPD	Specifies whether to enable the dead peer detection (DPD) feature. By default, the DPD feature is enabled. After you enable the DPD feature, the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within the specified period of time, the connection fails. Then, the Internet Security Association and Key Management Protocol (ISAKMP) SA, IPsec SA, and IPsec tunnel are deleted. If a DPD packet timeout occurs, the IPsec-VPN connection automatically reinitiates IPsec-VPN negotiations with the tunnel. For VPN gateways created from April 2019 to January 2023: If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds. If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 3,600 seconds. For VPN gateways created after February 2023: If IKEv1 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 30 seconds. If IKEv2 is used when you create an IPsec-VPN connection, the timeout period of DPD packets is 130 seconds.
NAT Traversal	Specifies whether to enable the NAT traversal feature. By default, the NAT traversal feature is enabled. After you enable NAT traversal, the initiator does not check UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

BGP Configuration

If you enable BGP dynamic routing for the IPsec-VPN connection, you can configure the BGP parameters that are described in the following table. If you disable BGP dynamic routing for the IPsec-VPN connection, you can enable this feature for the tunnels after the IPsec-VPN connection is created. For more information, see the Enable BGP dynamic routing for the tunnels after an IPsec-VPN connection is created section of this topic.

Parameter

Description

Tunnel CIDR Block

The CIDR block of the tunnel.

The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.

Note

In a VPN gateway, the CIDR block of each tunnel must be unique.

Local BGP IP address

The BGP IP address of the tunnel.

This IP address must fall within the CIDR block of the tunnel.

Tags

When you create an IPsec-VPN connection, you can add tags to the IPsec-VPN connection to facilitate resource aggregation and search. For more information, see Overview.

Parameter	Description
Tag Key	The tag key of the IPsec-VPN connection. You can select or enter a tag key.
Tag Value	The tag value of the IPsec-VPN connection. You can select or enter a tag value. You can leave the Tag Value parameter empty.

In the message that appears, click OK.

What to do next

After an IPsec-VPN connection is created, you must download the peer configurations of the IPsec-VPN connection and upload the configurations to an on-premises gateway device. For more information, see the Download the peer configurations of an IPsec-VPN connection section of this topic and Configure local gateways.

Download the peer configurations of an IPsec-VPN connection

After an IPsec-VPN connection is created, you can download the peer configurations of the IPsec-VPN connection and upload the configurations to your on-premises gateway device to configure your on-premises gateway device.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.
Click Copy in the IPsec-VPN Connection Configuration dialog box and save the configuration to an on-premises device.
For more information about how to configure an on-premises gateway device, see Configure local gateways.

View the tunnels of an IPsec-VPN connection

After you create an IPsec-VPN connection, you can view the status and information of the tunnels on the details page of the IPsec-VPN connection.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, click the ID the IPsec-VPN connection that you want to manage.

The details page of the IPsec-VPN connection appears. On the Tunnel tab, you can view the status and information of the tunnels.

Parameter	Description
Tunnel/Tunnel ID	The tunnel ID.
Tunnel Primary/Secondary Role	The primary or secondary role of the tunnel. Valid values: Primary: primary tunnel. Secondary: secondary tunnel.
Gateway IP Address	The IP address on the Alibaba Cloud side used to establish the IPsec-VPN connection. By default, the primary tunnel uses IP Address 1 of the VPN gateway. By default, the secondary tunnel uses IP Address 2 of the VPN gateway.
Tunnel CIDR Block	The CIDR block of the tunnel. If you enable BGP dynamic routing for the tunnel, the value is displayed.
Local BGP IP address	The BGP IP address of the tunnel. If you enable BGP dynamic routing for the tunnel, the value is displayed.
Connection Status	The status of the IPsec-VPN negotiations of the tunnel. If the IPsec-VPN negotiations succeed, Phase 2 negotiations succeeded. is displayed. If the IPsec-VPN negotiations fail, the failure information is displayed in the console. You can troubleshoot the issue based on the information. For more information, see Troubleshoot IPsec-VPN connection issues.
Customer Gateway	The customer gateway that is associated with the tunnel. The customer gateway is configured with an IP address and BGP ASN on the data center side.
State	The status of the tunnel. Valid values: Active Updating Deleting

Enable BGP dynamic routing for the tunnels after an IPsec-VPN connection is created

If BGP dynamic routing is not enabled when you create an IPsec-VPN connection, you can enable this feature for the tunnels after the IPsec-VPN connection is created.

Before you enable BGP dynamic routing for an IPsec-VPN connection, make sure that the customer gateway associated with the IPsec-VPN connection has a BGP ASN. If no BGP ASN is configured for the customer gateway, BGP dynamic routing cannot be enabled for the IPsec-VPN connection.

You can delete the current IPsec-VPN connection and create a new IPsec-VPN connection. Then, associate the IPsec-VPN connection with a customer gateway that is configured with a BGP ASN.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, click the ID of the IPsec-VPN connection that you want to manage.
On the details page of the IPsec-VPN connection, turn on Enable BGP in the IPsec Connections section.
In the BGP Configuration dialog box, configure BGP dynamic routing and click OK.
You must configure BGP dynamic routing for both tunnels. For more information about the BGP parameters, see the BGP configurations section of this topic.
To disable BGP dynamic routing, click the icon to the right of Enable BGP. In the Disable BGP Configuration dialog box, click OK.

Modify the configurations of a tunnel

You can modify tunnel configurations after you create an IPsec-VPN connection. However, you cannot change the customer gateway that is associated with the tunnels.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, click the ID of the IPsec-VPN connection that you want to manage.
On the details page of the IPsec-VPN connection, find the tunnel that you want to manage and click Edit in the Actions column.
On the page that appears, modify the configurations of the tunnel and click OK.
For more information about the parameters, see Tunnel configurations.

Modify the configurations of an IPsec-VPN connection

If an IPsec-VPN connection is associated with a VPN gateway, you cannot change the associated VPN gateway. You can modify only the Routing Mode and Effective Immediately parameters.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Edit in the Actions column.
On the Modify IPsec-VPN Connection page, modify the configurations of the IPsec-VPN connection, such as the name and CIDR blocks, and click OK.
For more information about the parameters, see the Create an IPsec-VPN connection section of this topic.

Delete an IPsec-VPN connection

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region of the IPsec-VPN connection.
On the IPsec Connections page, find the IPsec-VPN connection that you want to delete and click Delete in the Actions column.
In the dialog box that appears, confirm the information and click OK.

Create and manage IPsec-VPN connections by calling API operations

You can call API operations to create and manage IPsec-VPN connections by using tools such as Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS). The following API operations can be called: